The Raspberry Robin worm is changing into an access-as-a-service malware for deploying different payloads, together with IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware.
It is “a part of a posh and interconnected malware ecosystem, with hyperlinks to different malware households and alternate an infection strategies past its unique USB drive unfold,” the Microsoft Security Threat Intelligence Center (MSTIC) mentioned in an in depth write-up.
Raspberry Robin, additionally referred to as QNAP Worm owing to the usage of compromised QNAP storage servers for command-and-control, is the identify given to a malware by cybersecurity firm Red Canary that spreads to Windows methods via contaminated USB drives.
MSTIC is protecting tabs on the exercise group behind the USB-based Raspberry Robin infections as DEV-0856, including it is conscious of not less than 4 confirmed entry factors that every one have the probably finish objective of deploying ransomware.
The tech big’s cybersecurity crew mentioned that Raspberry Robin has developed from a broadly distributed worm with no noticed post-infection actions to one of many largest malware distribution platforms at the moment energetic.
According to telemetry information collected from Microsoft Defender for Endpoint, roughly 3,000 units spanning practically 1,000 organizations have encountered not less than one Raspberry Robin payload-related alert within the final 30 days.
The newest growth provides to rising proof of post-exploitation actions linked to Raspberry Robin, which, in July 2022, was found performing as a conduit to ship the FakeUpdates (aka SocGholish) malware.
This FakeUpdates exercise has additionally been adopted by pre-ransomware habits attributed to a menace cluster tracked by Microsoft as DEV-0243 (aka Evil Corp), the notorious Russian cybercrime syndicate behind the Dridex trojan and a command-and-control (C2) framework referred to as TeslaGun.
Microsoft, in October 2022, mentioned it detected Raspberry Robin being utilized in post-compromise exercise attributed to a distinct menace actor it has codenamed DEV-0950 and which overlaps with teams monitored publicly as FIN11 and TA505.
While the names FIN11 and TA505 have usually been used interchangeably, Google-owned Mandiant (previously FireEye) describes FIN11 as a subset of exercise below the TA505 group.
It’s additionally price declaring the conflation of Evil Corp and TA505, though Proofpoint assesses “TA505 to be completely different than Evil Corp,” suggesting that these clusters share partial tactical commonalities with each other.
“From a Raspberry Robin an infection, the DEV-0950 exercise led to Cobalt Strike hands-on-keyboard compromises, generally with a TrueBot an infection noticed in between the Raspberry Robin and Cobalt Strike stage,” the researcher mentioned. “The exercise culminated in deployments of the Clop ransomware.”
Microsoft additionally theorized that the actors behind these Raspberry Robin-related malware campaigns are paying the worm’s operators for payload supply, enabling them to maneuver away from phishing as a vector to amass new victims.
What’s extra, a cybercriminal actor dubbed DEV-0651 has been linked to the distribution of one other artifact referred to as Fauppod via the abuse of official cloud providers, which displays code similarities to Raspberry Robin and in addition drops the FakeUpdates malware.
The Windows maker additional famous wih medium confidence that Fauppod represents the earliest recognized hyperlink within the Raspberry Robin an infection chain for propagating the latter through LNK information to USB drives.
To add to the assault puzzle, IBM Security X-Force, early final month, recognized useful similarities between a loader part used within the Raspberry Robin an infection chain and the Dridex malware. Microsoft is attributing this code-level connection to Fauppod adopting Dridex’s strategies to keep away from execution in particular environments.
“Raspberry Robin’s an infection chain is a complicated and sophisticated map of a number of an infection factors that may result in many various outcomes, even in situations the place two hosts are contaminated concurrently,” Microsoft mentioned.